I'd like to also ask why the code can't be done away with. If you use WinTech or SafeTech you need to be able to authenticate with a valid account on the machine, so I'm not really sure what benefit the code actually gets us.
Especially when it is so easy to find workaround....
I guess it acts as a first level deterrent.
It's not a security control so much as a "keep id10ts from touching stuff".
Witness several posts here from end users trying to fix themselves, or get around their company controls. While at first it's kind of a hassle to call them frequently, it keeps you from making too much of a mess of a recovery when you don't really know what you're doing.
Certainly, supporting the product for this long, I have a list of "known issues" for our environment, along with the appropriate fixes. At this point, yes it would be a hassle to call them for every little hiccup.
rbarstow hit the nail on the head. Without the code, anyone who knows a MEE username and password associated with a laptop could use SafeTech and WinTech and really do some damage.
If an end user who is only slightly tech savvy (someone such as myself ) knows how to remove MEE using WinTech they will do it. But they cant without this code so I normally stress to all my administrators to NOT give this code out to end users.
I get admins all the time who say,
"well i have a user in BFE and id like to just ship a wintech cd to them to fix this on their own.... can i give them the top secret code that unlocks all the goodies?"
NOOOOO you cant! LOL
All good points made so far. No matter how you obtain the code it is still the responsibilty of the organization to secure the process. The same goes with end users who write down their password/ local recovery question answers on a post-it and tape it to their laptop.
Good point. It would be really snazzy if you could generate this code from the Managment Console. Put in an FMR